| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
The long double declaration will enable SSE and cause a compilation
error. Disabling everything related to floating points avoids the
error.
|
|
bio_printf() was replaced with a dummy function and this made
several openssl functions useless. This commit adds the print
functions back, so that we don't have to implement our own
ASN1 time print function.
|
|
|
|
|
|
|
|
|
|
|
|
Basically, if you don't want grub.efi, you do:
make 'DEFAULT_LOADER=\\\\grubx64.efi'
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Make it easier to change the PXE 2nd stage loader.
Conflicts:
netboot.c
|
|
|
|
- The file path from DevicePathToStr may use slash as the file
seperator. Change all slashes to backslashes to avoid the strange
bootpath.
- Remove the redundant backslashes.
- ImagePath no longer requires the leading backslash.
- Fix a memory leak
Based on the patch from Michal Marek <mmarek@suse.com>
|
|
|
|
|
|
Conflicts:
Makefile
|
|
|
|
The password format is introduced for the password hash generated by crypt(),
so that the user can import the password hash from /etc/shadow. The packager,
especially those who packages 3rd party drivers, can utilize this feature to
import a 3rd party certificate without interfering the package installation.
This commit implements the sha256-based crypt() hash function.
Conflicts:
Makefile
MokManager.c
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
The dir filter appends L'/' to the directory entries without
allocating a new buffer, and this could crash the whole program.
|
|
This is the first stage of porting the MokManager UI to the UI code used
by the Linux Foundation UEFI loader.
|
|
This is the first stage of porting the MokManager UI to the UI code used
by the Linux Foundation UEFI loader.
Conflicts:
MokManager.c
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
Conflicts:
MokManager.c
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Without this patch, on some machines we never see MokManager's UI. This
protocol has never (I think?) been officially published, and yet I still
have new hardware that needs it.
If you're looking for a reference, look at:
EdkCompatibilityPkg/Foundation/Protocol/ConsoleControl/ConsoleControl.c
in the edk2 tree from Tiano.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
The maximum length of a string representation of an ipv6 address is 39
characters (8 groups of 4 hex chars, with 7 colons in between). So don't
allocate more room than this - and more importantly, don't blindly accept
strings from the server that are longer than our buffer...
|
|
|
|
|
|
We don't need to add one because our end pointer is already off the end of
the string we want to copy.
|
|
Fix various errors in the tftp string handling, to ensure we always have
properly nul-terminated strings.
|
|
|
|
A wrong pointer was being passed to EFI_PXE_BASE_CODE_TFTP_READ_FILE,
preventing us from getting the file size back from the tftp call, ensuring
that we don't have enough information to properly secureboot-validate the
retrieved image.
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now the CA is checking if shim builds expose a particular version
of the shim protocol. To do this, they're looking for SHIM_LOCK_GUID's
value in the resulting binary.
Currently, with SHIM_LOCK_GUID as a macro that gets assigned to local
variables, that means they have to compensate for mov instructions mixed
in with the actual value. This is completely absurd, so promote it to a
first-class object with a symbol to make it both easy to find and
continuous.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
There's no point to this text, and it generally confuses people.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The call can simply fail if it isn't found - which will be the case on
removeable install media.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This also fixes the size of an empty vendor_cert or dbx_cert.
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
|
|
Since I've finally merged in the "sections" branch, best to increment
the version number.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
With this change, the embedded certificate and dbx lists (vendor_cert,
vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a
section named .vendor_cert, and so will look something like:
------
fenchurch:~/devel/github.com/shim$ objdump -h shim.efi
shim.efi: file format pei-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .eh_frame 000174a8 0000000000005000 0000000000005000 00000400 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .text 000aa7e1 000000000001d000 000000000001d000 00017a00 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
2 .reloc 0000000a 00000000000c8000 00000000000c8000 000c2200 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .data 00031228 00000000000c9000 00000000000c9000 000c2400 2**5
CONTENTS, ALLOC, LOAD, DATA
4 .vendor_cert 00000375 00000000000fb000 00000000000fb000 000f3800 2**0
CONTENTS, READONLY
5 .dynamic 000000f0 00000000000fc000 00000000000fc000 000f3c00 2**3
CONTENTS, ALLOC, LOAD, DATA
6 .rela 0002afa8 00000000000fd000 00000000000fd000 000f3e00 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .dynsym 0000f1f8 0000000000128000 0000000000128000 0011ee00 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
------
This simplifies a security audit, because it means that different
versions of shim with substantially the same code with different keys
will be more easily comperable, and therefore logic differences may be
more easily identified.
This also means that if there's a trusted build you want to use, you can
remove the certificates, implant new ones, and have it signed, and the
code sections won't change.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The thing about subtraction is that the minuend needs to be before the
subtrahend in the text.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
